PSAP Security - It's Not Just Brick and Mortar

Date: 2015-05-18

As we become globally connected, we run the risk of becoming globally infected... The new reality is that we, as an industry, need to pay as much – if not more – attention to cyber security as we do to keeping the front door locked.

During the period in our history known as “The Cold War,” our country embraced what was collectively known as the “bunker mentality.” This is defined as an attitude of extreme defensiveness and self-justification based on an often exaggerated sense of being under persistent attack from others. Yes, the Commies were coming so we had better be ready. In many cases, and especially concerning Public Safety Answering Points (PSAPs) the bunker portion was taken seriously. Many of these facilities went windowless and/or underground, surrounded by thick concrete walls and stocked with a variety of Civil Defense supplies, all in preparation for the Big One. When Armageddon actually occurred, I am always uncertain as to who would be left to call us, and who would still be available to send, but by God, we were going to be ready just in case.

Now, the Cold War eventually came and went, and attitudes began to change – especially when it came to PSAP design and construction. We moved out of the dark ages into the sunlight, especially as green building initiatives began to emerge that relied on natural sunlight, which obviously is difficult to find in a basement. While the incidents of September 11th served to raise concerns, these did not drive us back to the sunken caves. Rather, they served to focus attention on how to provide physical security with less drastic measures. And, obviously, the 9-1-1 center is one place that needs to be secure.

A number of agencies and documents speak to this need for physical security. The National Fire Protection Association’s NFPA 1221 Standard for the Installation, Maintenance, and Use of Emergency Services Communications Systems, for example, speaks to the need for a security vestibule, and in some cases, bullet resistant windows. Standards promulgated through the Department of Justice for the National Crime Information Center address maintaining a barrier between non-users and the physical computer terminals and rooms themselves. The Department of Defense defines setback standards to provide blast protection. And the list goes on.

However, in 2015, PSAP security is a lot more than brick and mortar. While keeping the bad guys from waltzing in the front door still remains critically important, we have to be increasingly mindful of not allowing them to sneak in through the virtual back door created by our numerous electronic communications systems. It is not so long ago that a significant portion of our equipment was analog in nature. While certainly not sophisticated by today’s standards, it did have one distinct advantage – the lack of microprocessors. While this made the devices “dumb,” it also made them immune to viruses, malware, and denial of service type attacks.

As we well know, those days are gone. In fact, I struggle to think of one critical component upon which we rely that is not digital. Perhaps the last vestiges of the analog age still in major use are the CAMA (Centralized Automatic Message Accounting) trunk lines that carry our 9-1-1 calls. However, as we move forward toward the dawn of Next Generation 9-1-1, these, too, will be replaced by digital networks.

While not minimizing the need for physical security measures, the incidence of direct attacks on PSAPs does not seem to be high. From the information I’ve collected over the years, some of the few cases I could find were more likely actions directed at the law enforcement facility that housed the communications center than at the center itself. Still and all, military strategists attack command and control centers because of their critical missions, and PSAPs certainly fall into this category. However, attacking 9-1-1 doesn’t require a smart bomb. It only requires a keyboard.

As we become globally connected, we run the risk of becoming globally infected. As more of our customers use intelligent devices, the greater our exposure to harm. The more our systems touch each other within the PSAP, the greater the potential for cross contamination. The new reality is that we, as an industry, need to pay as much – if not more – attention to cyber security as we do to keeping the front door locked. In January of this year, there were reports that a hacker gained access to a 9-1-1 center in Indiana. In February through April there were media accounts of law enforcement agencies in Illinois, Maine, and Massachusetts paying ransom to recover compromised data. A closer look at some 9-1-1 outages finds overloading or mis-programming computers as the cause. I’m not suggesting that these outages were intentional, but they certainly raise a red flag regarding our exposure. And since so-called “hosted” 9-1-1 solutions utilize virtual or shared servers, a single failure can impact multiple PSAPs or states.

As is the case with physical plant security, a number of regulations and guidelines exist for dealing with our electronic vulnerability. NFPA 1221, DOJ, the Association of Public-safety Communications Officials, and the National Emergency Number Association, are but a few who have spoken to the issue. While some actions such as swatting – or the provision of a false caller ID to a bogus call, often of the type requiring a SWAT response – are out of the scope of a PSAP’s control, basic security does begin within the center. Passwords should be strong and regularly changed. Employees should not have access to drives or USB (Universal Serial Bus) ports that would allow input into Computer Aided Dispatch (CAD), Records Management Systems (RMS), phone, radio, recorders or other systems. The connection of personal devices to municipal hardware should also be prohibited. Internet traffic should be segregated from critical components, as should email and office automation.

Firewalls and anti-virus protection are a must, and any connections to the outside world, including those for remote vendor access need to be closely guarded and monitored. Actions need to be taken to reduce the risk of transferring infection between all internal connections previously discussed. Here coordination with vendors is an absolute requirement as operating systems and application software may have conflicting requirements. Know and understand the implications of remote hosting, cloud computing, and the technical differences between Next Generation and legacy 9-1-1. Maintain dialog with carriers and service providers in order to ensure that every aspect of security is addressed. Most importantly, create a comprehensive plan for your agency that covers all devices and systems. Be sure to include both critical and non-critical components. And, in case all precautions should prove insufficient, this plan must also realistically address continuity of operation and recovery. To be effective, the plan must be reviewed and updated on a regular basis in order to address a changing landscape.

While protecting against unseen threats poses a unique set of challenges, successfully facing these challenges is becoming increasingly important to communications managers. Providing “Emergency Help. Anytime, anywhere, from any device,” takes some doing. We must be ready to deal with the changing landscape of our industry.

With more than 45 years’ experience in public safety, including managing large consolidated dispatch centers in three states, Barry now serves as a trainer and consultant for the 9-1-1 and public safety communications community. See www.barryfurey.com